Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port 443 timeout using Netcat but is working in browser

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Frogg
      last edited by Frogg

      Hi,

      I have a strange behavior:

      When i try the following command (WAN) i got a timeout
      nc -v domain.com 443

      When i try the following command (LAN) it works
      nc -v localip 443

      The web site https://domain.com is working and is available

      On the port 80 all is ok (with same config)
      Any idea where pfsense block my netcat request ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        From your lan to your wan IP.. What do you have on your wan 443? A port forward, reverse proxy? Did you setup nat reflection?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          Frogg
          last edited by Frogg

          Sorry i didnt told it, a simple nat redirect
          WAN * 443 to LAN localip 443

          With equivalent rule in firewall

          I will updated main post with screen shots after post restriction

          Firewall
          firewall.png

          Nat
          nat.png

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So nat reflection, what type pure proxy? If you do not do the correct nat reflection you run into asymmetrical problems..

            Does it work from outside? Test with can you see me . org

            Is pfsense listening on 443? It normally listens on 80, etc..

            Why would you not just resolve domain.tld to your local IP via your local dns, host override vs doing a reflection, at best your hairpinning all your traffic for no reason. And can run into issues with asymmetrical traffic flow.

            ass.png

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              Frogg
              last edited by Frogg

              Thanks for your reply

              network.png

              PFSense web interface has been changed to another port (https 8080)

              All 443/80 trafic is redirected to 192.168.1.4 which is an Apache displaying content from domain name sent in the client request.

              In fact all is working well (or it seems to works) website are displaying on the browsers.

              The trouble come from tools like netcat, telnet, openssl connect, etc ... on port 443 going timeout like if PFSense was bloking the response

              Same trouble with all other ports. Only port 80 seems to respond

              For exemple:

              nc -v externalIP 111
              nc: connect to externalIP port 111 (tcp) failed: Connection timed out
              

              but FTP Client works well (NAT 111 WAN to 21 LAN)

              nc -v domain.com 80
              Connection to domain.com 80 port [tcp/http] succeeded!
              

              The only port working as attempt

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Did you turn off the 80 redirect on pfsense? pfsense will attempt to redirect traffic to "it" on 80 to its ssl port.

                If browsers and clients working - then what is the problem?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  Frogg
                  last edited by Frogg

                  What do you mean by turn off 80 redirect ?
                  There is the NAT on *:80 WAN to 192.168.1.4:80 LAN with firewall rules for it.
                  The PFSense Web site is on port 8080 https.

                  The trouble come from network supervision like Zabbix:

                  2:58:54  High   PROBLEM   Service web https is down on 
                  12:58:52 High   PROBLEM   Service web https is down on 	
                  12:58:50 High   PROBLEM   Service web https is down on 
                  ....
                  

                  And other test cant be done like SSL days left on validity for exemple

                  With classical NAT (physical router) this same schema is working. I really fell like PFSense is blocking the response for a reason i don't know

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    It wouldn't be "blocking" do a sniff.. Clearly there is a response since you say browsers and clients work.

                    But they might be more forgiving if response comes from different mac - asymmetrical.

                    redirect.png

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      Frogg
                      last edited by Frogg

                      Thanks,

                      i missed this one, now all port doesn't not respond (but it is ok)

                      I just saw something:
                      Netcat is working as it should for external network, and all is ok

                      ExcAst:~ # nc -v domain.com 443
                      Connection to domain.com 443 port [tcp/https] succeeded!
                      
                      ExcAst:~ # nc -v domain.com 80
                      Connection to domain.com 80 port [tcp/http] succeeded!
                      
                      ExcAst:~ # nc -v domain.com 777
                      Connection to domain.com 777 port [tcp/multiling-http] succeeded!
                      SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
                      

                      The problem come from internal netcat request (LAN)

                      maybe it is link to this:

                      DNS fwd/rev mismatch: domain.com != machinedomain
                      

                      Websites are working in Lan browsers

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        @Frogg said in Port 443 timeout using Netcat but is working in browser:

                        DNS fwd/rev mismatch: domain.com != machinedomain

                        which is why what your doing is not the correct solution.. What you should be doing is dns resolution to access your machines via their local IPs vs nat reflection..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • F
                          Frogg
                          last edited by

                          Do you have any clue on how i could achieve something like that ?

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Yeah a simple host override so that whatever.domain.tld resolves to the actual local IP you want 192.168.1.4 I take it.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • F
                              Frogg
                              last edited by

                              I added the domain name to the local 192.168.1.4 machine if i check /etc/hostname i get the domain name

                              But i don't think it would fix it has the domain name in the comparaison il the host xx.xx.xx.xx.rev.poneytelecom.eu reverse DNS

                              Or i am really missing something

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                On pfsense create a host override - your clients point to pfsense for dns right?

                                So whatever.domain.tld points to your local IP 192.168.1.4, and then the ptr for 192.168.1.4 would also resolve to that..

                                hostover.png

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • F
                                  Frogg
                                  last edited by

                                  Thanks for the help,
                                  but i fill like i am lacking of knowledge on this part.

                                  In network config of 192.168.1.4 (and all local machines) i use 192.168.1.1 as DNS

                                  In the interface DNS resolver was disabled, so i enabled it and added the Host Overrides

                                  Dig domain.com

                                  ;; ANSWER SECTION:
                                  domain.com      960     IN      A       internetIp
                                  

                                  Dig - x domain.com

                                  ;; AUTHORITY SECTION:
                                  in-addr.arpa.           3600    IN      SOA     b.in-addr-servers.arpa. nstld.iana.org. 2020081164 1800 900 604800 3600
                                  

                                  i think i am missing something to have the same result as yours

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    @Frogg said in Port 443 timeout using Netcat but is working in browser:

                                    i use 192.168.1.1 as DNS

                                    And what is that? Is that not pfsense? This only works if what your using for dns for your local network actually ends up asking pfsense.. So the host override can be returned.

                                    If your network is using 192.168.1.1 for dns, then setup your dns records there.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      Frogg
                                      last edited by Frogg

                                      Yes 192.168.1.1 is PFSense
                                      Maybe it require a reboot, i ll give a try

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        You said the resolver was disabled - where you using forwarder (dnsmasq) If so then the host override would be setup there and not in the resolver (unbound). Both forwarder and resolver allow for host overrides. Set the override in whichever one your using.

                                        You only can have either or running forwarder or resolver. You can not run both listening on 53.

                                        A reboot is not required that is for sure.. But you may have issue with local caching on the client, so you would have to flush the local dns cache of whatever client your testing from.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          Frogg
                                          last edited by Frogg

                                          Thanks again for the help!

                                          Forwarder & Resolver (Now changed to enabled) was disabled

                                          It seems i am using the default cache (so it should be flushed with reboot)

                                          systemd-resolve --flush-caches
                                          Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.
                                          

                                          After reboot result is the same

                                          any idea ?

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by johnpoz

                                            @Frogg said in Port 443 timeout using Netcat but is working in browser:

                                            Forwarder & Resolver (Now changed to enabled) was disabled

                                            Huh? You can not use both at the same time.. You run into a race condition.. Which one are you using? Place your host override in the one your using.. They both allow for overrides.

                                            Do a directed query to pfsense to validate it returns your records you put in host override..

                                            C:\>dig @192.168.9.253 ahost.domain.tld
                                            
                                            ; <<>> DiG 9.16.6 <<>> @192.168.9.253 ahost.domain.tld
                                            ; (1 server found)
                                            ;; global options: +cmd
                                            ;; Got answer:
                                            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8719
                                            ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                            
                                            ;; OPT PSEUDOSECTION:
                                            ; EDNS: version: 0, flags:; udp: 4096
                                            ;; QUESTION SECTION:
                                            ;ahost.domain.tld.              IN      A
                                            
                                            ;; ANSWER SECTION:
                                            ahost.domain.tld.       3600    IN      A       192.168.1.4
                                            
                                            ;; Query time: 0 msec
                                            ;; SERVER: 192.168.9.253#53(192.168.9.253)
                                            ;; WHEN: Tue Sep 08 13:40:59 Central Daylight Time 2020
                                            ;; MSG SIZE  rcvd: 61
                                            
                                            
                                            C:\>nslookup
                                            Default Server:  pi-hole.local.lan
                                            Address:  192.168.3.10
                                            
                                            > server 192.168.9.253
                                            Default Server:  sg4860.local.lan
                                            Address:  192.168.9.253
                                            
                                            > ahost.domain.tld
                                            Server:  sg4860.local.lan
                                            Address:  192.168.9.253
                                            
                                            Name:    ahost.domain.tld
                                            Address:  192.168.1.4
                                            
                                            

                                            Pfsense in my case is 192.168.9.253

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.